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(54) Secure database 

(57) A secure datat)ase system comprises a sen/er 
having a database Including at (east one personal Infor- 
mation table and at least one further table containing 
information relating to the persons whose details are 
stored in the personal infonrotion table. The keys of the 
tables in the database are unrelated, so that it is impos- 
sible to determine solely from information in the server 
whfch record in the further table corresponds to which 



record in the personal information table. Thus, even if a 
hacker obtains access to the database, the hacker will 
not be able to relate information in the different tables. 
Each legitimate client uses an encryptk)n process to 
convert a personal identifier value, which identifies the 
record relating to a particular person in the personal in- 
formation table, into a pseudo-identifier value, which 
identifies a record relating to the same person in the fur- 
ther table. 
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Description 

Backarpund to the Invention 

This invention relates to secure databases. 

Many countries have legislation for controlling the 
way in which personal data may be stored and used on 
computer systems. For example, the Dutch Personal 
Data Registration Act ( -Wet Persoonsregistraties") de- 
mands (among other things) that the database must be 
secured against hackers who have succeeded In getting 
unauthorised access to the database despite all security 
applied to it. i-fowever, it has been found that conven- 
tional database systems do not satisfy this requirement. 
For example, in conventbnal hospital information sys- 
tems, if a hacker gains access to a medical history 
record, the hacker can obtain the patient's key from this 
record and use this key to access any other records con- 
taining information about the same patient, such as the 
patient's name and address. 

The object of the present inventton Is to provide a 
way of overcoming this problem. 



Summan^ of the inventton 

According to the invention a computer system com- 
prises: 

(a) a server having a database Including at least one 
personal infomnation table and at least one further 
table containing information relating to persons 
whose details are stored in the personal information 
table; and 

(b) a plurality of clients, for accessing said data- 



(c) said tables in said database having keys that are 
unrelated to each other, whereby it is impossible to 
determine solely from information in the server 
which record in said further table conresponds to 
which record in saki personal Infonnatbn table; and 

(d) each client including an encryptbn process for 
converting a personal identifier value, which Identi- 
fies a record relating to a particular person in said 
personal information table, into a pseudo-identifier 
value, which identifies a record relating to the same 
person In saki further table. 

It can be seen that, even if a hacker obtains access 
to the database, the hacker will not be able to relate In- 
formation in the different tables. In a hospital Infonratfon 
system for example, If a hacker obtains access to a med- 
ical history record, the hacker cannot relate this record 
to a particular patient 

Brief Description of the Drawing 

Figure I is a bkx;k diagram showing a computer 
system Incorporating a secure database. 
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Figure 2 shows a skeleton model of the database. 

Descrfotton of an Embodiment of the Inventton 

One embodiment of the invention will now be de- 
scribed by way of example with reference to the accom- 
panying drawings. This consists of a hospital records 
system which stores infonmatlon about patients and 
their treatments, and which can only be accessed by au- 
thorised users, such as doctors, nurses and administra- 
tors. However, it will be appreciated that the invention 
can also be used in other applicattons where there Is a 
need to protect personal data. For example, the Inven- 
tion could also be used in an insurance company data- 
base for storing personal data about customers and de- 
tails about their claims. 

Overall view of the system 

Referring to Figure 1 , this shows a distributed com- 
puter system comprising a server 10 and a number of 
clients 11, interconnected by a network 12. The sender 
is a central hospital computer, and the clients are per- 
sonal computers (PCs), located on individual users' 
desks. The server 10 runs a database application 13, 
which may be any database system; for example, it may 
be an Oracle database. Each client 1 1 runs a client ap- 
plicatton 14, whteh enables an authorised user to com- 
munteate with the database, and to access data from it 

Refemng to Figure 2, the database 13 holds a 
number of tables. Each of these tables has a primary 
key (indicated by "pk"), whfch unquely identifies each 
record in the table. This primary key is a numeric figure, 
starting with 1 (one) for the first record written In the table 
and incremented by 1 (one) for each subsequent record 
inserted into that table. Some of the tables also include 
foreign keys (Indicated by fk"), which identify connec- 
tions between the tables. 

There are two groups of tables. The first group con- 
tains personal data about patients and users, and the 
data defining the periods of care. Only the data in this 
group is required in order to establish if a user is allowed 
to access the records for a particular patient. This group 
comprises the foltowing tables: 



Patient Personal, non-medical data about Indi- 
vkJual patients, such as the patient's 
name, address and telephone number. 

^ User Information about authorised users of 

the system. The information includes 
such things as name, togin name, and 
doctor's specialism. 

55 CarePeriod Information about which users are cur- 
rently responsible for the care of IndivkJ- 
ual patients. 
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The second group of tables holds medical data. It 
consists of a large number of tables, each of which holds 
one and only one group of facts. Some examples of ta> 
ties in this second group are as follows: 

Registration Information about registration of indi- 
vidua! patients. There is one row In 
this table for each patient currently un- 
der active care. 

Appointment Information about appointments that 
have been arranged for individual pa- 
tients. 

Medication Information about medication that has 
been prescribed for individual pa- 
tients. 

PatientNote Free-text medical notes on individual 
patients. 

Each of the tables in this second group has a pri- 
mary key which is in no way related to the primary keys 
of the patient or user. Therefore, even if a hacker man- 
ages to obtain access to one of these tables, it is not 
possible for the hacker to relate the medical data to a 
partteular patient or user. 

To enable authorised users to relate the Information 
in this second group of tables to the patients or users, 
the system uses so-called pseudo-identifiers (PIDs). 
The PIDs are stored in extra columns of the tables. The 
PID values are calculated from the patients' and users' 
primary keys, using aciyptographk; algorithm. Thecryp- 
tographic algorithm is available only on the clients; the 
algorithm is not recorded in the database, and so cannot 
be discovered by a hacker who gains access to the serv- 
er. The algorithm uses a master encryption key, which 
is different for each hospital. 

TTie PID values are calculated using a different en- 
cryptfon protocol for each PID in each table. This is 
achieved by assigning a unique identifier number 
nr_PID to each PID in each table, and using this number 
as an input parameter for the cryptographic algorithm. 
In other words, the encryption algorithm for a particular 
PID uses the following three parameters: 

the primary key being encrypted, 
the hospital's master encryption key, 
- the unique identifier number nr_PlD for the PID. 

Thus, it is guaranteed that records relating to the 
same patient have different PID values in different ta- 
bles, and records with the same PID in different tables 
do not relate to the same patient. 

For example, in the database of Figure 2, unique 
identifier numbers nr_PID may be assigned to the PIDs 
as follows: 
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Free-text columns In the database, such as in the 
PatientNote table, present a particular problem, since a 
user is free to put any text in these columns, and may 
therefore include the patients name. This wouki be of 
great assistance to a hacker. This problem is overcome 
by storing such free text in encrypted form, using an en- 
cryption algorithm resident on the client. 

Login 

This section describes the operation of the system 
when a user logs in. 

The client application first prompts the user to enter 
his or her login name and password, and sends a login 
message to the database application. When the data- 
base application receives this message, it authenticates 
the user Techniques for authentication of users are well 
known, and so will not be described in any further detail. 

Assuming that the user has been correctly authen- 
ticated, the database applicatk)n then searches the Us- 
er table, to find the record that matches the user's login 
name. From this record, the database application ob- 
tains the user's primary key. 

The client applicatton then encrypts the user's pri- 
mary key, using the appropriate nr_PlD (34 for example) 
as a parameter, to generate a user PID value for access- 
ing the CarePeriod table. The PID is sent to the data- 
base application. 

The database application then searches the 
CarePeriod table, to find all rows containing this PID. 
This identifies all the patients currently in the care of this 
particular user. The database application then uses the 
patient keys from these rows to access the correspond- 
ing rows of the Patient table. The patients' personal de- 
tails are read from the Patient table, and are retumed to 
the client application, where they are displayed to the 
user. 

Medication table 

This section describes the operation of the system 
when a user wishes to obtain details of a particular pa- 
tient's medication. It is assumed that the user has 
logged in to the system and has obtained the patient's 
primary key as described above. 

The client application encrypts the patient's primary 
key. using the appropriate nr_PID (47 for example) as a 
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